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In thn Claims ; 

Please cancel claims 1-4, 8-9, and 13-18. Please amend claims 5-7 and 10-12. Please 
add new claims 1 9-30. The claims arc as follows: 

1-4. (Canceled) 



5. (Currently amended) A method of operating an intrusion detection system, comprising the 
steps of: 

ninnjtnriTlCi wy ^ ; „ <T .,cion Action system, for occurrence of a signature event ihatjs 
jndi^vft nf a d e«v.i ^.rvicc intm fi™ «n anrotccted device, said denial of service attack 
BHr tmpting to im p"** ^prmlmn of the protected device; and 

when a signature event occurs, increasing a value of a signature event counter and 
comparing the value of the signature event counter with a signature threshold quantity; and 

when the value of the signature event counter exceeds the signature threshold quantity, 
generating an iN V - ^"sor of ihe intrusion detection system, recording a 

time of generating the alert in a log nf a povemor comprise hy the intrust detection sensor , 
determining from contents of the log a present alert generation rate, and comparing the present 
alert generation rate with an alert generation rate threshold; and 

when the present alert generation rate exceeds the alert generation rate threshold, altering 
an element or a signature set of tm the intrusion detection system to decrease an alert generation 
rate of an the intrusion detection sensor. 
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6. (Currently amended) The method of claim 5, wherein the element is [[a]] fla signature 
threshold quantity. 

7. (Currently amended) The method of claim 5, wherein the element is a signature Ihrcsliold 
in^ai iKnt sp ^fies a slid er limo window. 

8-9. (Canceled) 

10. (Currently amended) Programmable media containing programmable software for operation 
of an intrusion detection system, programmable software comprising the steps of: 

Tnnni1nrinr Wn.-d™ detect ion system, for occurrence of a signature event thatjs 

infti - ltiv - .f. H.n; a l MWcc int ™™ nn a nrotected device, said denial of service attack 
^tem pting to im pede opcra ^n of the protected device; and 

when a signature event occurs, increasing a value of a signature event counter and 
comparing the value of the signature event counter with a signature threshold quantity; and 

when the value orihe signature event counter exceeds the signature threshold quantity, 
generating an alert hv „n intrusion dtf «r.tinn sensor of the intrusion detection system, recording a 
lime of generating the alert in a log of a povemor comprised by the intrusion detection sensor , 
determining from contents of the log a present alert generation rate, and comparing the present 
alert generation rate with an alert generation rate threshold; and 



09/966,227 



PAGE 4/13 ' RCVD AT (12012005 12:36:20 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-1/0 * DNIS:8729306 * CSID: * DURATION (mm-ss):03-04 



JUN-20-05 HON 12:01 PM FAX NO. P. 05 



when the present alert generation rate exceeds the alert generation rale threshold, altering 
an element ora signature set otmt the intrusion detection system to decrease an alert generation 
rate of an the intrusion detection server. 

U. (Currently amended) The programmable media of claim 10, wherein the clement is [[a]] the. 
signature threshold quantity. 

12. (Currently amended) The programmable media of claim 10, wherein the element is a 
signature threshold interval thnl irrHfi" » ^in P lime window. 

13-18. (Canceled) 

19. (New) The method of claim 5, wherein said generating the alert comprises alerting an 
administrator of suspected denial of service intrusions upon the protect device. 

20. (New) The method of claim 5, wherein the alert generation rate threshold is comprised by the 
governor. 

21. (New) The method of claim 5, wherein the signature set comprises a unique signature set 
identifier, the signature event, the signature event counter, the signature threshold quantity, and a 

gnature threshold interval that specifics a sliding lime window. 
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22. (New) The method of claim 5, wherein the protected device is selected from the group 
consisting of a computer, a web server, and a workstation. 

23. (New) The method of claim 5, wherein the method further comprises the step of entering into 
the log a list of timestamps that record the times at which the intrusion detection sensor generates 
alerts, wherein said determining from contents of the log a present alert generation rate utilizes 

tho limeslamps in the log. 

24. (New) The method of claim 5, wherein after generating the alert and before determining from 
contenls of the log theprcsent alert generation rate, the method further comprises the step oft 

clearing the log of any entries that arc past a specified age. 

25. (New) The programmable mediaof claim 10, wherein said generating the alert comprises 
alerting an administrator of suspected denial of service intrusions upon the protect device. 

26. (New) The programmable media of claim 10, wherein the alert generation rate threshold is 
comprised by the governor. 

27. (New) The programmable m*tia of claim 10, wherein the signature set comprises a unique 
signature set identifier, the signature event, the signature event counter, the signature threshold 
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quantity, and a signature threshold interval that specifics a sliding lime window. 



28. (New) The programmable media of claim 10, wherein the protected device is selected from 
the group consisting of a computer, a web server, and a workstation. 

29. (New) The programmable media of claim 10, wherein the programmable software further 
comprises the step of entering into the log a list of timestamps that record the times at which the 
intrusion detection sensor generates alerts, wherein said determining from contents of the log a 
present alert generation rate utilizes the timestamps in the log. 

30. (New) The programmable media of claim 10, wherein after generating the alert and before 
determining from contents of the log the present alert generation rate, the programmable software 
further comprises the step of: 

clearing the log of any entries that arc past a specified age. 
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